fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2

General

Target

fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Size

375KB
MD5

95c61f88877e5318bbc67724217cd424
SHA1

6c9e9bb00a43b11c3752f4e7ba5c9b0f525f6fa0
SHA256

fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2
SHA512

3abba7059e8bc612a050ad1f52f06b7cec3407f3ec7900bb45fcb20f3aaa753f16067dcebad61bb83c58415199a37c3b40faca52d29b3580b093b0433edfe97f

Score

7^/10

adware stealer

Malware Config

Signatures

Loads dropped DLL 2 IoCs

Processes:

fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe

pid	process
4592	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
4592	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Drops file in System32 directory 5 IoCs

Processes:

fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe

description	ioc	process
File created	C:\Windows\SysWOW64\CBRun.rar	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
File created	C:\Windows\SysWOW64\CBExt.bpl	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
File created	C:\Windows\SysWOW64\CBRun.bpl	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
File created	C:\Windows\SysWOW64\AppCache.v2.dat	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
File opened for modification	C:\Windows\SysWOW64\AppCache.v2.dat	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXEfd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4066032656"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4058063908"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30960893"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30960893"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4058063908"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{1D7C61F4-D8F1-11EC-AD90-D2F448B606D1} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\DEPoff = "1"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\DEPon = "1"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30960893"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "359894039"	IEXPLORE.EXE

Modifies registry class 64 IoCs

Processes:

fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E80FD4F4-DEFA-41C7-A5EE-8E75C22C3077}\ProxyStubClsid32	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLXBaseAppX.CLXBaseRun\Clsid\ = "{81C57AAD-F991-48E5-A42D-51AF23F40150}"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{569137C9-A7AA-41FB-AC5A-116E8C91399D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6FAB0FBD-2252-4825-A581-512F9EE939C3}\ProxyStubClsid32	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFEE3E69-F75C-4ED7-A3FE-1CF67C096D64}\InprocServer32	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0981FBA3-F54A-4C81-B343-53A1C7B78CD9}\ = "ICLXBaseRun"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFEE3E69-F75C-4ED7-A3FE-1CF67C096D64}\ = "EmbedWordX Control"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A46ADB95-7678-4C80-95EA-A6C48DF2E5BC}	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A46ADB95-7678-4C80-95EA-A6C48DF2E5BC}\ProxyStubClsid32	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A46ADB95-7678-4C80-95EA-A6C48DF2E5BC}\TypeLib	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFEE3E69-F75C-4ED7-A3FE-1CF67C096D64}\TypeLib	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81C57AAD-F991-48E5-A42D-51AF23F40150}\InprocServer32\ThreadingModel = "Apartment"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81C57AAD-F991-48E5-A42D-51AF23F40150}\ProgID\ = "CLXBaseAppX.CLXBaseRun"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0981FBA3-F54A-4C81-B343-53A1C7B78CD9}	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E80FD4F4-DEFA-41C7-A5EE-8E75C22C3077}\TypeLib\Version = "1.0"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DAF593D9-515A-4869-864D-8DCE6D7DCB91}\Version\ = "1.0"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DAF593D9-515A-4869-864D-8DCE6D7DCB91}\Control	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A46ADB95-7678-4C80-95EA-A6C48DF2E5BC}\TypeLib\Version = "1.0"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A46ADB95-7678-4C80-95EA-A6C48DF2E5BC}\TypeLib\ = "{CCC51463-1F85-462B-A8FA-A8428805B304}"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81C57AAD-F991-48E5-A42D-51AF23F40150}\ToolboxBitmap32	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0981FBA3-F54A-4C81-B343-53A1C7B78CD9}\ProxyStubClsid32	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E80FD4F4-DEFA-41C7-A5EE-8E75C22C3077}\ = "IEmbedWordXEvents"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A46ADB95-7678-4C80-95EA-A6C48DF2E5BC}\TypeLib	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFEE3E69-F75C-4ED7-A3FE-1CF67C096D64}\MiscStatus\1\ = "205201"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFEE3E69-F75C-4ED7-A3FE-1CF67C096D64}\Verb\0\ = "Properties,0,2"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81C57AAD-F991-48E5-A42D-51AF23F40150}\Verb	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DAF593D9-515A-4869-864D-8DCE6D7DCB91}\MiscStatus	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DAF593D9-515A-4869-864D-8DCE6D7DCB91}\MiscStatus\1\ = "205201"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0981FBA3-F54A-4C81-B343-53A1C7B78CD9}\TypeLib\ = "{CCC51463-1F85-462B-A8FA-A8428805B304}"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6FAB0FBD-2252-4825-A581-512F9EE939C3}\TypeLib	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DAE1419C-B543-4AD0-BDD4-065E1A505269}\ProgID\ = "CLXBaseAppX.CBXNSHandler"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6FAB0FBD-2252-4825-A581-512F9EE939C3}\TypeLib\ = "{CCC51463-1F85-462B-A8FA-A8428805B304}"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6FAB0FBD-2252-4825-A581-512F9EE939C3}\ProxyStubClsid32	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A46ADB95-7678-4C80-95EA-A6C48DF2E5BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81C57AAD-F991-48E5-A42D-51AF23F40150}\MiscStatus\1\ = "205201"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DAF593D9-515A-4869-864D-8DCE6D7DCB91}\ = "IntelliObjX Control"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DAF593D9-515A-4869-864D-8DCE6D7DCB91}\TypeLib\ = "{CCC51463-1F85-462B-A8FA-A8428805B304}"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{569137C9-A7AA-41FB-AC5A-116E8C91399D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{569137C9-A7AA-41FB-AC5A-116E8C91399D}\TypeLib	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFEE3E69-F75C-4ED7-A3FE-1CF67C096D64}\Verb	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DAF593D9-515A-4869-864D-8DCE6D7DCB91}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\CBRun.bpl,2"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DAF593D9-515A-4869-864D-8DCE6D7DCB91}\Verb\0	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLXBaseAppX.CBXNSHandler\ = "CBXNSHandler"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLXBaseAppX.CBXNSHandler\Clsid\ = "{DAE1419C-B543-4AD0-BDD4-065E1A505269}"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{51C34CCD-02E7-487F-900A-80F01B807969}\TypeLib	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLXBaseAppX.EmbedWordX\Clsid\ = "{BFEE3E69-F75C-4ED7-A3FE-1CF67C096D64}"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A46ADB95-7678-4C80-95EA-A6C48DF2E5BC}\TypeLib\Version = "1.0"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLXBaseAppX.EmbedWordX	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFEE3E69-F75C-4ED7-A3FE-1CF67C096D64}\Control\	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81C57AAD-F991-48E5-A42D-51AF23F40150}	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DAF593D9-515A-4869-864D-8DCE6D7DCB91}\Control\	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CCC51463-1F85-462B-A8FA-A8428805B304}\1.0	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0981FBA3-F54A-4C81-B343-53A1C7B78CD9}\TypeLib	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81C57AAD-F991-48E5-A42D-51AF23F40150}\TypeLib\ = "{CCC51463-1F85-462B-A8FA-A8428805B304}"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81C57AAD-F991-48E5-A42D-51AF23F40150}\MiscStatus\ = "0"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DAF593D9-515A-4869-864D-8DCE6D7DCB91}\InprocServer32	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0981FBA3-F54A-4C81-B343-53A1C7B78CD9}\TypeLib\Version = "1.0"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFEE3E69-F75C-4ED7-A3FE-1CF67C096D64}\Control	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{569137C9-A7AA-41FB-AC5A-116E8C91399D}\TypeLib\ = "{CCC51463-1F85-462B-A8FA-A8428805B304}"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6FAB0FBD-2252-4825-A581-512F9EE939C3}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E80FD4F4-DEFA-41C7-A5EE-8E75C22C3077}\TypeLib\ = "{CCC51463-1F85-462B-A8FA-A8428805B304}"	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81C57AAD-F991-48E5-A42D-51AF23F40150}\TypeLib	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81C57AAD-F991-48E5-A42D-51AF23F40150}\Verb\	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DAF593D9-515A-4869-864D-8DCE6D7DCB91}\ToolboxBitmap32	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1724 IEXPLORE.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1724 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

1724 IEXPLORE.EXE
1724 IEXPLORE.EXE
224 IEXPLORE.EXE
224 IEXPLORE.EXE
224 IEXPLORE.EXE
224 IEXPLORE.EXE

pid	process
1724	IEXPLORE.EXE

pid	process
1724	IEXPLORE.EXE

pid	process
1724	IEXPLORE.EXE
1724	IEXPLORE.EXE
224	IEXPLORE.EXE
224	IEXPLORE.EXE
224	IEXPLORE.EXE
224	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exeIEXPLORE.EXE

description	pid	process	target process
PID 4592 wrote to memory of 1724	4592	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe	IEXPLORE.EXE
PID 4592 wrote to memory of 1724	4592	fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe	IEXPLORE.EXE
PID 1724 wrote to memory of 224	1724	IEXPLORE.EXE	IEXPLORE.EXE
PID 1724 wrote to memory of 224	1724	IEXPLORE.EXE	IEXPLORE.EXE
PID 1724 wrote to memory of 224	1724	IEXPLORE.EXE	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe
"C:\Users\Admin\AppData\Local\Temp\fd8daa617e124543707d7e9ac4ce3137f3d0b242d451a3b765c2c74e3abe9cf2.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4592

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1724

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1724 CREDAT:17410 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:224

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
471B

MD5
bd72dc52da415559c02553bb1e7bd3c3

SHA1
64e00d8ec1ecb62146f0a2349e9fab7e7cb48ac4

SHA256
ac706580ffcb98d6b28184b26f71eaca509846170a3dba74c2a48a646e8c8eed

SHA512
e6e90e6c60e0f1419a9c1ce4863f5ef93b03967c8e0a5ebe570e48556ff0bd097acfe43e25e10ec8f2a4377c134d9c1ccf233b89c1bdce0038a04ef869a82139

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
434B

MD5
3ec569bdb4c1c095e9e5672c18e2dec1

SHA1
1e3a61498e0f8e3f87d0daa2e5c3ea193a40d508

SHA256
714757e71539e66c360f26bac04ffebfa39df7c7b7fbe70b303c8d92f1b76625

SHA512
0bff30cd53c05047f224cd6dd1c89db9fd1a52154687c59c65f22bdfca6fe759c4c52d4f8cbdc9d0fbd4f69ef82c279a193a802dd8a5294a21b750d706d778ab

Download Submit
C:\Windows\SysWOW64\CBRun.bpl
Filesize
7.2MB

MD5
45682678083ba2f948dd6517e1b5323b

SHA1
990c6cd98510d1d73d61bc652d2900894da0a319

SHA256
4a0d3d5680985b883446801a6e4b71d20abc643a5b8272a214defbf18843066c

SHA512
a81fb6ba09c0bec253d1c5580a27c188962293ef64a56f8ed08c7c1cf53da4579725b63266555768cc2a112688c0c46672dab33550675f9d9e9b7db7a357a92f

Download Submit
C:\Windows\SysWOW64\CBRun.bpl
Filesize
7.2MB

MD5
45682678083ba2f948dd6517e1b5323b

SHA1
990c6cd98510d1d73d61bc652d2900894da0a319

SHA256
4a0d3d5680985b883446801a6e4b71d20abc643a5b8272a214defbf18843066c

SHA512
a81fb6ba09c0bec253d1c5580a27c188962293ef64a56f8ed08c7c1cf53da4579725b63266555768cc2a112688c0c46672dab33550675f9d9e9b7db7a357a92f

Download Submit
memory/4592-131-0x0000000002400000-0x0000000002448000-memory.dmp

Filesize
288KB

Download
memory/4592-138-0x00000000056F0000-0x0000000005E35000-memory.dmp

Filesize
7.3MB

Download
memory/4592-140-0x0000000002700000-0x0000000002710000-memory.dmp

Filesize
64KB

Download
memory/4592-147-0x0000000004C90000-0x0000000004D4A000-memory.dmp

Filesize
744KB

Download
memory/4592-153-0x0000000004D50000-0x0000000004D71000-memory.dmp

Filesize
132KB

Download
memory/4592-161-0x0000000006400000-0x00000000064BA000-memory.dmp

Filesize
744KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads